[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-24 Thread Jeremy Bícha
Jeff, that's just how Launchpad is configured. Sorry.

But there is a better way to look for security issues in a package than
trying to navigate Launchpad:

https://ubuntu.com/security/cves?package=flatpak

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-24 Thread Jia Tan
The Ubuntu packages turned out to be safe, but administrators of high
security environments should still reach out privately for an assessment
done by adding a test repository. Please make this issue private, it's
confusing for users, making my work harder.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-24 Thread Jeff
While I'm not fully familiar with how things are done here, is it really
sensible that the "Fix Released" status prevents search on the main page
from even finding this issue?

We aren't far from the upstream fixes being available for a week already
without any of the supported releases of Ubuntu getting a fix, and even
the visibility of the problem is significantly limited.

It's a sandbox escape vulnerability, therefore privilege escalation.
Upstream took it seriously, as smcv mentioned there are even multiple
fixed versions to choose from to update to, but regular users don't even
get to know that they have been affected by a vulnerability marked with
high severity upstream for so long.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-21 Thread Simon McVittie
This also affects focal, bionic, and older LTS suites.

If it's possible to update focal to 1.12.9 from the upstream 1.12.x
stable branch, that would also resolve LP: #2063034 and LP: #2063035.
There isn't much point in the upstream developers doing 1.12.x releases
if distributions aren't going to pick them up.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-21 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: flatpak (Ubuntu Jammy)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-21 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: flatpak (Ubuntu Mantic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-21 Thread Simon McVittie
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-32462

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-20 Thread Jeremy Bícha
I'm not working on the stable security updates now but I opened tasks
for them in case someone else wants to contribute.

** Also affects: flatpak (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** Also affects: flatpak (Ubuntu Mantic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-19 Thread Jeff
Covering just Noble isn't really enough with Mantic and Jammy still providing 
vulnerable packages according to the advisory listing affected versions as:
- < 1.10.9
- 1.12.x < 1.12.9
- 1.14.x < 1.14.6
- 1.15.x < 1.15.8

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-19 Thread Jeremy Bícha
I'm manually closing the bug now since it was accepted into noble-
proposed without a LP bug number. I'll watch to make sure it migrates to
noble release

https://launchpad.net/ubuntu/+source/flatpak/1.14.6-1

** Changed in: flatpak (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-19 Thread Jeremy Bícha
** Changed in: flatpak (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-18 Thread Jeremy Bícha
** Tags added: noble upgrade-software-version

** Description changed:

  Upstream advisory:
  https://github.com/flatpak/flatpak/security/advisories/GHSA-
  phv6-cpc2-2fgj
  
  If possible please sync 1.14.6-1 from Debian instead of backporting
  fixes. That version only fixes the security issue and one other high-
  visibility bug (app developer names showing in the CLI as though they
  were the app's name).
+ 
+ https://github.com/flatpak/flatpak/compare/1.14.5...1.14.6

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

2024-04-18 Thread Jeremy Bícha
** Changed in: flatpak (Ubuntu)
   Status: New => In Progress

** Changed in: flatpak (Ubuntu)
 Assignee: (unassigned) => Jeremy Bícha (jbicha)

** Changed in: flatpak (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406

Title:
  CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs